Share this article on:
The theft of a laptop computer from a business associate of CVS pharmacy has resulted in the exposure of customers’ protected health information.
The privacy breach affects certain patients who have previously filled out prescriptions at a single CVS pharmacy in Alabama – The CVS pharmacy at 8370 Highway 31 in Calera. Data stored on the laptop computer include the names of patients along with contact telephone numbers, home addresses, details of the prescriptions provided, and numbers and dispensing dates. No Social Security numbers or financial information were exposed.
The theft occurred on March 16, 2016., and CVS was notified of the data breach on March 22. All affected patients have now been notified of the privacy breach by mail. The laptop theft was reported to the Indianapolis Police Department although the laptop computer has not been recovered.
CVS requires its vendors to encrypt all patient information although in this case encryption was not used. This was a breach of the vendor’s contractual obligations, although the incident was not deemed to be severe enough to warrant the termination of CVS’s business relationship with the vendor.
CVS pharmacy conducted a thorough review of the security incident and was satisfied that this was an isolated error, and “was not caused by lack of internal controls or other systemic issues,” according to a statement released by CVS spokesman Mike DeAngelis.
CVS is satisfied that the additional protections being put in place by the vendor will be sufficient to reduce the risk of future privacy breaches and will enable the vendor to continue working with CVS Health. Additional security measures include providing staff members with further privacy and encryption training.